Atlassian warns of critical security vulnerability

By

Confluence server can leak creds, cloud version is safe, fix is in.

Atlassian has revealed a critical security issue in Confluence server.

Atlassian warns of critical security vulnerability

An advisory (sign-in required) issued at 3:00AM Thursday, Australian time, offered the following explanation of the flaw:

“Confluence Server and Data Center had a local file disclosure vulnerability in the page export function. A remote attacker who has Add Page space permission would be able to read arbitrary files in the /confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, potentially leaking credentials, such as LDAP credentials, or other sensitive information. The potential to leak LDAP credentials exists if LDAP credentials are specified in an atlassian-user.xml file, which is a deprecated method for configuring LDAP integration.”

All versions of Confluence Server and Confluence Data Center from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability.

Atlassian has released version 6.15.8 of Confluence Server to fix the problem, and recommends a swift upgrade. Version 6.15 Release Notes are already available and the new version can be found here.

Users of the Enterprise release of Confluence Server have a different upgrade path, to version 6.16.6 or 6.13.7.

And there’s another option for those who can’t upgrade, in the form of a workaround that uses the atlassian.confluence.export.word.max.embedded.images system property to set the maximum number of images to include in Word exports to zero. This will prevent images from being embedded in Word exports.

The advisory is just the eighth that Atlassian has issued this year. The company had just eight in all of 2018, a comparatively low number against other vendors.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © nextmedia Pty Ltd. All rights reserved.
Tags:

Most Read Articles

NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul

CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'

Victoria's first government tech chief steps down

Victoria's first government tech chief steps down

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls

Log In

  |  Forgot your password?